URL has text "password" - is it a risk? do we remove it? rename to session_id?
When the noVNC window opens the URL looks like this:
https://beta-api.cloud.cvl.org.au/vnc.html?password=3GEfEWSCm8evtJQMbuV5QdzLe804vS
Having password as a variable in the URL is going to raise a few questions. I am querying it.
Lance tried to login and couldn't . Maybe rename it to something else.